def testIOSNonCanonical(self):
"""Test parsing of IOS match terms in non-output formats."""
x = "access-list 100 permit tcp any any eq ftp-data"
y = "access-list 100 permit tcp any any eq 20"
self.assertEqual(acl.parse(x).output_ios(), [y])
x = "access-list 100 permit ip any 192.0.2.99 0.0.0.0"
y = "access-list 100 permit ip any host 192.0.2.99"
self.assertEqual(acl.parse(x).output_ios(), [y])
def testIOSNonCanonical(self):
"""Test parsing of IOS match terms in non-output formats."""
x = 'access-list 100 permit tcp any any eq ftp-data'
y = 'access-list 100 permit tcp any any eq 20'
self.assertEqual(acl.parse(x).output_ios(), [y])
x = 'access-list 100 permit ip any 192.0.2.99 0.0.0.0'
y = 'access-list 100 permit ip any host 192.0.2.99'
self.assertEqual(acl.parse(x).output_ios(), [y])
def testIOSACL(self):
"""Test parsing of IOS numbered ACLs."""
text = '\n'.join(['access-list 100 permit ' + x for x in ios_matches])
self.assertEqual('\n'.join(acl.parse(text).output_ios()), text)
# Non-canonical forms:
x = 'access-list 100 permit icmp any any log echo'
y = 'access-list 100 permit icmp any any echo log'
a = acl.parse(x)
self.assertEqual(a.output_ios(), [y])
self.assertEqual(a.format, 'ios')
def testIOSACL(self):
"""Test parsing of IOS numbered ACLs."""
text = "\n".join(["access-list 100 permit " + x for x in ios_matches])
self.assertEqual("\n".join(acl.parse(text).output_ios()), text)
# Non-canonical forms:
x = "access-list 100 permit icmp any any log echo"
y = "access-list 100 permit icmp any any echo log"
a = acl.parse(x)
self.assertEqual(a.output_ios(), [y])
self.assertEqual(a.format, "ios")
def testFirewallReplace(self):
"""Test JunOS ACL with "firewall { replace:" around it."""
acl.parse('''
firewall {
replace:
filter blah {
term foo {
then {
accept;
}
}
}
}''')
def testJunOSExamples(self):
"""Test examples from JunOS documentation."""
examples = file(EXAMPLES_FILE).read().expandtabs().split("\n\n")
# Skip the last two because they use the unimplemented "except"
# feature in address matches.
for i in range(0, 14, 2):
if examples[i + 1].find("policer"):
continue
x = examples[i + 1].split("\n")
y = acl.parse(examples[i]).output_junos()
self.assertEqual(x, y)
self.assertEqual(y.format, "junos")
z = acl.parse("\n".join(y)).output_junos()
self.assertEqual(y, z)
def testJunOSExamples(self):
"""Test examples from JunOS documentation."""
examples = file(EXAMPLES_FILE).read().expandtabs().split('\n\n')
# Skip the last two because they use the unimplemented "except"
# feature in address matches.
for i in range(0, 14, 2):
if examples[i + 1].find('policer'):
continue
x = examples[i + 1].split('\n')
y = acl.parse(examples[i]).output_junos()
self.assertEqual(x, y)
self.assertEqual(y.format, 'junos')
z = acl.parse('\n'.join(y)).output_junos()
self.assertEqual(y, z)
def testFirewallReplace(self):
"""Test JunOS ACL with "firewall { replace:" around it."""
acl.parse(
"""
firewall {
replace:
filter blah {
term foo {
then {
accept;
}
}
}
}"""
)
def testIOSNamedACL(self):
"""Test parsing of IOS named ACLs."""
x = 'ip access-list extended foo\n'
x += '\n'.join([' permit ' + x for x in ios_matches])
a = acl.parse(x)
self.assertEqual(a.output_ios_named(), x.split('\n'))
self.assertEqual(a.format, 'ios_named')
def testPolicer(self):
'''test policer stuff.'''
x = \
'''firewall {
replace:
policer test {
if-exceeding {
bandwidth-limit 32000;
burst-size-limit 32000;
}
then {
discard;
}
}
policer test2 {
if-exceeding {
bandwidth-limit 32000;
burst-size-limit 32000;
}
then {
discard;
}
}
}'''
a = acl.parse(x)
self.assertEqual(a.output(replace=True), x.split('\n'))
def testPolicer(self):
"""test policer stuff."""
x = """firewall {
replace:
policer test {
if-exceeding {
bandwidth-limit 32000;
burst-size-limit 32000;
}
then {
discard;
}
}
policer test2 {
if-exceeding {
bandwidth-limit 32000;
burst-size-limit 32000;
}
then {
discard;
}
}
}"""
a = acl.parse(x)
self.assertEqual(a.output(replace=True), x.split("\n"))
def testIOSNamedACL(self):
"""Test parsing of IOS named ACLs."""
x = "ip access-list extended foo\n"
x += "\n".join([" permit " + x for x in ios_matches])
a = acl.parse(x)
self.assertEqual(a.output_ios_named(), x.split("\n"))
self.assertEqual(a.format, "ios_named")
def testIOSACLNegation(self):
"""Test handling of "no access-list" command."""
x = [
'access-list 100 permit udp any any', 'no access-list 100',
'access-list 100 permit tcp any any'
]
self.assertEqual(acl.parse('\n'.join(x)).output_ios(), x[-1:])
def testIOSNamedACLRemarks(self):
"""Test parsing of 'remark' lines in IOS named ACLs."""
x = '''\
ip access-list extended foo
permit nos any any
remark Need more NOS!
permit nos any any'''
self.assertEqual(acl.parse(x).output_ios_named(), x.split('\n'))
def testIOSNamedACLRemarks(self):
"""Test parsing of 'remark' lines in IOS named ACLs."""
x = """\
ip access-list extended foo
permit nos any any
remark Need more NOS!
permit nos any any"""
self.assertEqual(acl.parse(x).output_ios_named(), x.split("\n"))
def testDoubleQuotes(self):
"""Test JunOS double-quoted names (regression)."""
x = """\
filter test {
term "awkward term name" {
then {
accept;
count "awkward term name";
}
}
}"""
a = acl.parse(x)
self.assertEqual(a.terms[0].name, "awkward term name")
self.assertEqual("\n".join(a.output_junos()), x)
def testDoubleQuotes(self):
'''Test JunOS double-quoted names (regression).'''
x = '''\
filter test {
term "awkward term name" {
then {
accept;
count "awkward term name";
}
}
}'''
a = acl.parse(x)
self.assertEqual(a.terms[0].name, 'awkward term name')
self.assertEqual('\n'.join(a.output_junos()), x)
def testTCPFlags(self):
"""Test tcp-established and is-fragment."""
x = """\
filter x {
term y {
from {
is-fragment;
tcp-established;
}
then {
accept;
}
}
}"""
self.assertEqual(x, "\n".join(acl.parse(x).output_junos()))
def testTCPFlags(self):
"""Test tcp-established and is-fragment."""
x = '''\
filter x {
term y {
from {
is-fragment;
tcp-established;
}
then {
accept;
}
}
}'''
self.assertEqual(x, '\n'.join(acl.parse(x).output_junos()))
def testRanges(self):
'''Test JunOS ICMP and protocol ranges (regression).'''
x = '''
filter 115j {
term ICMP {
from {
protocol tcp-17;
icmp-type [ echo-reply 10-11 ];
}
then {
accept;
count ICMP;
}
}
}'''
a = acl.parse(x)
def testRanges(self):
"""Test JunOS ICMP and protocol ranges (regression)."""
x = """
filter 115j {
term ICMP {
from {
protocol tcp-17;
icmp-type [ echo-reply 10-11 ];
}
then {
accept;
count ICMP;
}
}
}"""
a = acl.parse(x)
def testCommentStress(self):
#'''Test pathological JunOS comments.'''
'''Test pathological JunOS comments. We want this to error in order to pass.
NO MULTI-LINE COMMENTS!!
'''
x = '''
filter 100 {
/* one */ /* two */
term/* */y {
from /*{*/ /******/ {
protocol tcp; /*
*/ destination-port 80/**/;
/* tcp-established; */
}
/* /* /* */
}
}'''
self.assertRaises(exceptions.ParserSyntaxError, lambda: acl.parse(x))
def testCommentStress(self):
#'''Test pathological JunOS comments.'''
"""Test pathological JunOS comments. We want this to error in order to pass.
NO MULTI-LINE COMMENTS!!
"""
x = """
filter 100 {
/* one */ /* two */
term/* */y {
from /*{*/ /******/ {
protocol tcp; /*
*/ destination-port 80/**/;
/* tcp-established; */
}
/* /* /* */
}
}"""
self.assertRaises(exceptions.ParserSyntaxError, lambda: acl.parse(x))
def testInactiveTerm(self):
"""Test terms flagged as inactive."""
x = """\
filter 100 {
term t1 {
then {
reject;
}
}
inactive: term t2 {
then {
accept;
}
}
term t3 {
then {
accept;
}
}
}"""
y = acl.parse(x)
self.assertEqual(y.output_junos(), x.split("\n"))
self.assertRaises(exceptions.VendorSupportLacking, y.output_ios)
def testInactiveTerm(self):
"""Test terms flagged as inactive."""
x = '''\
filter 100 {
term t1 {
then {
reject;
}
}
inactive: term t2 {
then {
accept;
}
}
term t3 {
then {
accept;
}
}
}'''
y = acl.parse(x)
self.assertEqual(y.output_junos(), x.split('\n'))
self.assertRaises(exceptions.VendorSupportLacking, y.output_ios)
def testModifierWithoutAction(self):
"""Test modifier without action."""
x = '''filter x { term y { then { count z; } } }'''
y = acl.parse(x)
self.assertEqual(y.terms[0].action, ('accept', ))
def testShorthandIPv4(self):
"""Test incomplete IP blocks like "10/8" (vs. "10.0.0.0/8")."""
x = '''filter x { term y { from { address { 10/8; } } } }'''
y = acl.parse(x)
self.assertEqual(y.terms[0].match['address'][0].strNormal(),
'10.0.0.0/8')
def testParseFile(self):
"""Make sure we can apply trigger.acl.parse() to file objects."""
a = acl.parse(StringIO("access-list 100 deny ip any any"))
self.assertEqual(a.name, "100")
def testIOSACLDecoration(self):
"""Test IOS ACLs with comments, blank lines, and "end"."""
x = "\n! comment\n\naccess-list 100 permit udp any any log ! ok\nend\n"
y = ["! ok", "! comment", "access-list 100 permit udp any any log"]
a = acl.parse(x)
self.assertEqual(a.output_ios(), y)
def testICMPIOSNames(self):
"""Test stringification of ICMP types and codes into IOS format."""
x = "access-list 100 permit icmp 172.16.0.0 0.15.255.255 any 8"
y = "access-list 100 permit icmp 172.16.0.0 0.15.255.255 any echo"
self.assertEqual(acl.parse(x).output_ios(), [y])
self.assertEqual(acl.parse(y).output_ios(), [y])
def testNextTerm(self):
'''Test "next term" action (regression).'''
x = 'filter f { term t { then { next term; } } }'
a = acl.parse(x)
def testShorthandIPv4(self):
"""Test incomplete IP blocks like "10/8" (vs. "10.0.0.0/8")."""
x = """filter x { term y { from { address { 10/8; } } } }"""
y = acl.parse(x)
self.assertEqual(y.terms[0].match["address"][0].strNormal(), "10.0.0.0/8")
def testIOSBadACL(self):
"""Test handling of a bad ACL."""
text = 'access-list 145 permit tcp any any;\naccess-list 145 deny ip any any'
self.assertRaises(exceptions.ParseError, lambda: acl.parse(text))
def testIOSACLDecoration(self):
"""Test IOS ACLs with comments, blank lines, and "end"."""
x = '\n! comment\n\naccess-list 100 permit udp any any log ! ok\nend\n'
y = ['! ok', '! comment', 'access-list 100 permit udp any any log']
a = acl.parse(x)
self.assertEqual(a.output_ios(), y)
def testIOSBadACL(self):
"""Test handling of a bad ACL."""
text = "access-list 145 permit tcp any any;\naccess-list 145 deny ip any any"
self.assertRaises(exceptions.ParseError, lambda: acl.parse(text))
def testICMPIOSNames(self):
"""Test stringification of ICMP types and codes into IOS format."""
x = 'access-list 100 permit icmp 172.16.0.0 0.15.255.255 any 8'
y = 'access-list 100 permit icmp 172.16.0.0 0.15.255.255 any echo'
self.assertEqual(acl.parse(x).output_ios(), [y])
self.assertEqual(acl.parse(y).output_ios(), [y])
def testNextTerm(self):
"""Test "next term" action (regression)."""
x = "filter f { term t { then { next term; } } }"
a = acl.parse(x)
def testIOSLongComments(self):
"""Test long comments in IOS ACLs."""
# Regression: naïve comment handling caused this to exceed the
# maximum recursion depth.
acl.parse('!' * 200 + '\naccess-list 100 deny ip any any')
def testIOSLongComments(self):
"""Test long comments in IOS ACLs."""
# Regression: naïve comment handling caused this to exceed the
# maximum recursion depth.
acl.parse("!" * 200 + "\naccess-list 100 deny ip any any")
def testModifierWithoutAction(self):
"""Test modifier without action."""
x = """filter x { term y { then { count z; } } }"""
y = acl.parse(x)
self.assertEqual(y.terms[0].action, ("accept",))
def testParseFile(self):
"""Make sure we can apply trigger.acl.parse() to file objects."""
a = acl.parse(StringIO('access-list 100 deny ip any any'))
self.assertEqual(a.name, '100')
def testIOSACLNegation(self):
"""Test handling of "no access-list" command."""
x = ["access-list 100 permit udp any any", "no access-list 100", "access-list 100 permit tcp any any"]
self.assertEqual(acl.parse("\n".join(x)).output_ios(), x[-1:])